diff options
| author | van Hauser <vh@thc.org> | 2019-08-01 15:29:30 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-08-01 15:29:30 +0200 |
| commit | b14fead5929a1958d850a945effb5a0cbd6e5799 (patch) | |
| tree | db628f6c0356508a41a720b1bb083097a2514fac | |
| parent | 84855737b332a461f3da61f226142fcb4d2bef0a (diff) | |
| parent | ebf2c8caa590468e1eafbc257e44dc30af82e5f8 (diff) | |
| download | afl++-b14fead5929a1958d850a945effb5a0cbd6e5799.tar.gz | |
Merge pull request #35 from code-intelligence-gmbh/custom_mutator
Custom mutator
| -rw-r--r-- | afl-fuzz.c | 188 |
1 files changed, 129 insertions, 59 deletions
diff --git a/afl-fuzz.c b/afl-fuzz.c index 6c003ae6..a1388a55 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -126,7 +126,7 @@ double x_now[swarm_num][operator_num], core_operator_finds_puppet[operator_num], core_operator_finds_puppet_v2[operator_num], core_operator_cycles_puppet[operator_num], - core_operator_cycles_puppet_v2[operator_num], + core_operator_cycles_puppet_v2[operator_num], core_operator_cycles_puppet_v3[operator_num]; /* Execs per fuzz stage */ #define RAND_C (rand()%1000*0.001) @@ -368,6 +368,11 @@ static u32 a_extras_cnt; /* Total number of tokens available */ static u8* (*post_handler)(u8* buf, u32* len); +/* hooks for the custom mutator function */ +static size_t (*custom_mutator)(u8 *data, size_t size, u8* mutated_out, size_t max_size, unsigned int seed); +static size_t (*pre_save_handler)(u8 *data, size_t size, u8 **new_data); + + /* Interesting values, as per config.h */ static s8 interesting_8[] = { INTERESTING_8 }; @@ -394,7 +399,8 @@ enum { /* 14 */ STAGE_EXTRAS_AO, /* 15 */ STAGE_HAVOC, /* 16 */ STAGE_SPLICE, - /* 17 */ STAGE_PYTHON + /* 17 */ STAGE_PYTHON, + /* 18 */ STAGE_CUSTOM_MUTATOR }; /* Stage value types */ @@ -1560,7 +1566,7 @@ static u64 next_p2(u64 val) { while (val > ret) ret <<= 1; return ret; -} +} /* When we bump into a new path, we call this to see if the path appears @@ -1714,6 +1720,26 @@ static void setup_post(void) { } +static void setup_custom_mutator(void) { + void* dh; + u8* fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY"); + + if (!fn) return; + + ACTF("Loading custom mutator library from '%s'...", fn); + + dh = dlopen(fn, RTLD_NOW); + if (!dh) FATAL("%s", dlerror()); + + custom_mutator = dlsym(dh, "afl_custom_mutator"); + if (!custom_mutator) FATAL("Symbol 'afl_custom_mutator' not found."); + + pre_save_handler = dlsym(dh, "afl_pre_save_handler"); +// if (!pre_save_handler) WARNF("Symbol 'afl_pre_save_handler' not found."); + + OKF("Custom mutator installed successfully."); +} + /* Read all testcases from the input directory, then queue them for testing. Called at startup. */ @@ -2801,7 +2827,13 @@ static void write_to_testcase(void* mem, u32 len) { } else lseek(fd, 0, SEEK_SET); - ck_write(fd, mem, len, out_file); + if (pre_save_handler) { + u8* new_data; + size_t new_size = pre_save_handler(mem, len, &new_data); + ck_write(fd, new_data, new_size, out_file); + } else { + ck_write(fd, mem, len, out_file); + } if (!out_file) { @@ -4178,7 +4210,7 @@ static void maybe_delete_out_dir(void) { fn = alloc_printf("%s/plot_data", out_dir); if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; ck_free(fn); - + fn = alloc_printf("%s/cmdline", out_dir); if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; ck_free(fn); @@ -4236,7 +4268,7 @@ static void show_stats(void) { /* Calculate smoothed exec speed stats. */ if (!last_execs) { - + avg_exec = ((double)total_execs) * 1000 / (cur_ms - start_time); } else { @@ -4268,7 +4300,7 @@ static void show_stats(void) { t_bytes = count_non_255_bytes(virgin_bits); t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE; - if (t_bytes) + if (t_bytes) stab_ratio = 100 - ((double)var_byte_count) * 100 / t_bytes; else stab_ratio = 100; @@ -4290,7 +4322,7 @@ static void show_stats(void) { last_plot_ms = cur_ms; maybe_update_plot_file(t_byte_ratio, avg_exec); - + } /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ @@ -4338,11 +4370,11 @@ static void show_stats(void) { #ifdef HAVE_AFFINITY sprintf(tmp + banner_pad, "%s " cLCY VERSION cLGN - " (%s) " cPIN "[%s]" cBLU " {%d}", crash_mode ? cPIN "peruvian were-rabbit" : + " (%s) " cPIN "[%s]" cBLU " {%d}", crash_mode ? cPIN "peruvian were-rabbit" : cYEL "american fuzzy lop", use_banner, power_name, cpu_aff); #else sprintf(tmp + banner_pad, "%s " cLCY VERSION cLGN - " (%s) " cPIN "[%s]", crash_mode ? cPIN "peruvian were-rabbit" : + " (%s) " cPIN "[%s]", crash_mode ? cPIN "peruvian were-rabbit" : cYEL "american fuzzy lop", use_banner, power_name); #endif /* HAVE_AFFINITY */ @@ -4405,7 +4437,7 @@ static void show_stats(void) { if (dumb_mode) - SAYF(bV bSTOP " last new path : " cPIN "n/a" cRST + SAYF(bV bSTOP " last new path : " cPIN "n/a" cRST " (non-instrumented mode) "); else @@ -4432,7 +4464,7 @@ static void show_stats(void) { sprintf(tmp, "%s%s", DI(unique_hangs), (unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); - SAYF(bV bSTOP " last uniq hang : " cRST "%-33s " bSTG bV bSTOP + SAYF(bV bSTOP " last uniq hang : " cRST "%-33s " bSTG bV bSTOP " uniq hangs : " cRST "%-6s" bSTG bV "\n", DTD(cur_ms, last_hang_time), tmp); @@ -4449,10 +4481,10 @@ static void show_stats(void) { SAYF(bV bSTOP " now processing : " cRST "%-16s " bSTG bV bSTOP, tmp); - sprintf(tmp, "%0.02f%% / %0.02f%%", ((double)queue_cur->bitmap_size) * + sprintf(tmp, "%0.02f%% / %0.02f%%", ((double)queue_cur->bitmap_size) * 100 / MAP_SIZE, t_byte_ratio); - SAYF(" map density : %s%-21s" bSTG bV "\n", t_byte_ratio > 70 ? cLRD : + SAYF(" map density : %s%-21s" bSTG bV "\n", t_byte_ratio > 70 ? cLRD : ((t_bytes < 200 && !dumb_mode) ? cPIN : cRST), tmp); sprintf(tmp, "%s (%0.02f%%)", DI(cur_skipped_paths), @@ -4473,7 +4505,7 @@ static void show_stats(void) { /* Yeah... it's still going on... halp? */ - SAYF(bV bSTOP " now trying : " cRST "%-20s " bSTG bV bSTOP + SAYF(bV bSTOP " now trying : " cRST "%-20s " bSTG bV bSTOP " favored paths : " cRST "%-22s" bSTG bV "\n", stage_name, tmp); if (!stage_max) { @@ -4600,7 +4632,7 @@ static void show_stats(void) { if (t_bytes) sprintf(tmp, "%0.02f%%", stab_ratio); else strcpy(tmp, "n/a"); - SAYF(" stability : %s%-10s" bSTG bV "\n", (stab_ratio < 85 && var_byte_count > 40) + SAYF(" stability : %s%-10s" bSTG bV "\n", (stab_ratio < 85 && var_byte_count > 40) ? cLRD : ((queued_variable && (!persistent_mode || var_byte_count > 20)) ? cMGN : cRST), tmp); @@ -4634,9 +4666,14 @@ static void show_stats(void) { strcat(tmp, tmp2); } - - SAYF(bV bSTOP " trim : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n" + if (custom_mutator) { + sprintf(tmp, "%s/%s", DI(stage_finds[STAGE_CUSTOM_MUTATOR]), DI(stage_cycles[STAGE_CUSTOM_MUTATOR])); + SAYF(bV bSTOP " custom mut. : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n" + bLB bH30 bH20 bH2 bH bRB bSTOP cRST RESET_G1, tmp); + } else { + SAYF(bV bSTOP " trim : " cRST "%-36s " bSTG bVR bH20 bH2 bH bRB "\n" bLB bH30 bH20 bH2 bRB bSTOP cRST RESET_G1, tmp); + } /* Provide some CPU utilization stats. */ @@ -4717,7 +4754,7 @@ static void show_init_stats(void) { SAYF("\n"); - if (avg_us > ((qemu_mode || unicorn_mode) ? 50000 : 10000)) + if (avg_us > ((qemu_mode || unicorn_mode) ? 50000 : 10000)) WARNF(cLRD "The target binary is pretty slow! See %s/perf_tips.txt.", doc_path); @@ -5198,7 +5235,7 @@ static u32 calculate_score(struct queue_entry* q) { switch (schedule) { - case EXPLORE: + case EXPLORE: break; case EXPLOIT: @@ -5209,7 +5246,7 @@ static u32 calculate_score(struct queue_entry* q) { fuzz_total = 0; n_paths = 0; - struct queue_entry *queue_it = queue; + struct queue_entry *queue_it = queue; while (queue_it) { fuzz_total += queue_it->n_fuzz; n_paths ++; @@ -5220,22 +5257,22 @@ static u32 calculate_score(struct queue_entry* q) { if (fuzz <= fuzz_mu) { if (q->fuzz_level < 16) factor = ((u32) (1 << q->fuzz_level)); - else + else factor = MAX_FACTOR; } else { factor = 0; } break; - + case FAST: if (q->fuzz_level < 16) { - factor = ((u32) (1 << q->fuzz_level)) / (fuzz == 0 ? 1 : fuzz); + factor = ((u32) (1 << q->fuzz_level)) / (fuzz == 0 ? 1 : fuzz); } else factor = MAX_FACTOR / (fuzz == 0 ? 1 : next_p2 (fuzz)); break; case LIN: - factor = q->fuzz_level / (fuzz == 0 ? 1 : fuzz); + factor = q->fuzz_level / (fuzz == 0 ? 1 : fuzz); break; case QUAD: @@ -5245,7 +5282,7 @@ static u32 calculate_score(struct queue_entry* q) { default: PFATAL ("Unknown Power Schedule"); } - if (factor > MAX_FACTOR) + if (factor > MAX_FACTOR) factor = MAX_FACTOR; perf_score *= factor / POWER_BETA; @@ -5561,7 +5598,7 @@ static u8 fuzz_one_original(char** argv) { * TRIMMING * ************/ - if (!dumb_mode && !queue_cur->trim_done) { + if (!dumb_mode && !queue_cur->trim_done && !custom_mutator) { u8 res = trim_case(argv, queue_cur, in_buf); @@ -5591,16 +5628,48 @@ static u8 fuzz_one_original(char** argv) { if (perf_score == 0) goto abandon_entry; + if (custom_mutator) { + stage_short = "custom"; + stage_name = "custom mutator"; + stage_max = len << 3; + stage_val_type = STAGE_VAL_NONE; + + const u32 max_seed_size = 4096*4096; + u8* mutated_buf = ck_alloc(max_seed_size); + + orig_hit_cnt = queued_paths + unique_crashes; + + for (stage_cur = 0 ; stage_cur < stage_max ; stage_cur++) { + size_t orig_size = (size_t) len; + size_t mutated_size = custom_mutator(out_buf, orig_size, mutated_buf, max_seed_size, UR(UINT32_MAX)); + if (mutated_size > 0) { + out_buf = ck_realloc(out_buf, mutated_size); + memcpy(out_buf, mutated_buf, mutated_size); + if (common_fuzz_stuff(argv, out_buf, (u32) mutated_size)) { + goto abandon_entry; + } + } + } + + ck_free(mutated_buf); + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_CUSTOM_MUTATOR] += stage_max; + goto abandon_entry; + } + + /* Skip right away if -d is given, if it has not been chosen sufficiently often to warrant the expensive deterministic stage (fuzz_level), or if it has gone through deterministic testing in earlier, resumed runs (passed_det). */ - if (skip_deterministic - || ((!queue_cur->passed_det) + if (skip_deterministic + || ((!queue_cur->passed_det) && perf_score < ( queue_cur->depth * 30 <= havoc_max_mult * 100 - ? queue_cur->depth * 30 + ? queue_cur->depth * 30 : havoc_max_mult * 100)) || queue_cur->passed_det) #ifdef USE_PYTHON @@ -7259,7 +7328,7 @@ static u8 pilot_fuzzing(char** argv) { u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; u64 havoc_queued, orig_hit_cnt, new_hit_cnt, cur_ms_lv; u32 splice_cycle = 0, perf_score = 100, orig_perf, prev_cksum, eff_cnt = 1; - + u8 ret_val = 1, doing_det = 0; u8 a_collect[MAX_AUTO_EXTRA]; @@ -7412,7 +7481,7 @@ static u8 pilot_fuzzing(char** argv) { key_puppet = 1; goto pacemaker_fuzzing; } - + doing_det = 1; /********************************************* @@ -7591,7 +7660,7 @@ static u8 pilot_fuzzing(char** argv) { - + /* Effector map setup. These macros calculate: EFF_APOS - position of a particular file offset in the map. @@ -7773,7 +7842,7 @@ static u8 pilot_fuzzing(char** argv) { - + skip_bitflip: @@ -8197,7 +8266,7 @@ static u8 pilot_fuzzing(char** argv) { stage_cur = 0; stage_max = 2 * (len - 3) * (sizeof(interesting_32) >> 2); - + orig_hit_cnt = new_hit_cnt; for (i = 0; i < len - 3; i++) { @@ -8446,7 +8515,7 @@ static u8 pilot_fuzzing(char** argv) { /**************** * RANDOM HAVOC * ****************/ - + havoc_stage: pacemaker_fuzzing: @@ -8481,7 +8550,7 @@ static u8 pilot_fuzzing(char** argv) { cur_ms_lv = get_cur_time(); { - + if (key_puppet == 1) { @@ -8492,7 +8561,7 @@ static u8 pilot_fuzzing(char** argv) { SPLICE_CYCLES_puppet = (UR(SPLICE_CYCLES_puppet_up - SPLICE_CYCLES_puppet_low + 1) + SPLICE_CYCLES_puppet_low); } } - + { havoc_stage_puppet: @@ -8776,7 +8845,7 @@ static u8 pilot_fuzzing(char** argv) { ck_free(out_buf); out_buf = new_buf; temp_len += clone_len; - stage_cycles_puppet_v2[swarm_now][STAGE_Clone75] += 1; + stage_cycles_puppet_v2[swarm_now][STAGE_Clone75] += 1; } break; @@ -8803,7 +8872,7 @@ static u8 pilot_fuzzing(char** argv) { } else memset(out_buf + copy_to, UR(2) ? UR(256) : out_buf[UR(temp_len)], copy_len); - stage_cycles_puppet_v2[swarm_now][STAGE_OverWrite75] += 1; + stage_cycles_puppet_v2[swarm_now][STAGE_OverWrite75] += 1; break; } @@ -8815,7 +8884,7 @@ static u8 pilot_fuzzing(char** argv) { tmp_pilot_time += 1; - + @@ -8861,7 +8930,7 @@ static u8 pilot_fuzzing(char** argv) { } new_hit_cnt = queued_paths + unique_crashes; - + if (!splice_cycle) { stage_finds[STAGE_HAVOC] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_HAVOC] += stage_max; @@ -8992,7 +9061,7 @@ static u8 pilot_fuzzing(char** argv) { last_limit_time_start = 0; } } - + if (unlikely(tmp_pilot_time > period_pilot)) { total_pacemaker_time += tmp_pilot_time; @@ -9064,7 +9133,7 @@ static u8 core_fuzzing(char** argv) { u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; u64 havoc_queued, orig_hit_cnt, new_hit_cnt, cur_ms_lv; u32 splice_cycle = 0, perf_score = 100, orig_perf, prev_cksum, eff_cnt = 1; - + u8 ret_val = 1, doing_det = 0; u8 a_collect[MAX_AUTO_EXTRA]; @@ -9325,7 +9394,7 @@ static u8 core_fuzzing(char** argv) { stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_FLIP1] += stage_max; - + /* Two walking bits. */ @@ -9533,7 +9602,7 @@ static u8 core_fuzzing(char** argv) { stage_cur = 0; stage_max = len - 3; - + orig_hit_cnt = new_hit_cnt; for (i = 0; i < len - 3; i++) { @@ -10218,7 +10287,7 @@ static u8 core_fuzzing(char** argv) { /**************** * RANDOM HAVOC * ****************/ - + havoc_stage: pacemaker_fuzzing: @@ -10519,7 +10588,7 @@ static u8 core_fuzzing(char** argv) { ck_free(out_buf); out_buf = new_buf; temp_len += clone_len; - core_operator_cycles_puppet_v2[STAGE_Clone75] += 1; + core_operator_cycles_puppet_v2[STAGE_Clone75] += 1; } break; @@ -10546,7 +10615,7 @@ static u8 core_fuzzing(char** argv) { } else memset(out_buf + copy_to, UR(2) ? UR(256) : out_buf[UR(temp_len)], copy_len); - core_operator_cycles_puppet_v2[STAGE_OverWrite75] += 1; + core_operator_cycles_puppet_v2[STAGE_OverWrite75] += 1; break; } @@ -10598,7 +10667,7 @@ static u8 core_fuzzing(char** argv) { } new_hit_cnt = queued_paths + unique_crashes; - + #ifndef IGNORE_FINDS @@ -10754,13 +10823,13 @@ void pso_updating(void) { g_now += 1; if (g_now > g_max) g_now = 0; - w_now = (w_init - w_end)*(g_max - g_now) / (g_max)+w_end; + w_now = (w_init - w_end)*(g_max - g_now) / (g_max)+w_end; int tmp_swarm, i, j; u64 temp_operator_finds_puppet = 0; for (i = 0; i < operator_num; i++) { operator_finds_puppet[i] = core_operator_finds_puppet[i]; - + for (j = 0; j < swarm_num; j++) { operator_finds_puppet[i] = operator_finds_puppet[i] + stage_finds_puppet[j][i]; @@ -10771,7 +10840,7 @@ void pso_updating(void) { for (i = 0; i < operator_num; i++) { if (operator_finds_puppet[i]) - G_best[i] = (double)((double)(operator_finds_puppet[i]) / (double)(temp_operator_finds_puppet)); + G_best[i] = (double)((double)(operator_finds_puppet[i]) / (double)(temp_operator_finds_puppet)); } for (tmp_swarm = 0; tmp_swarm < swarm_num; tmp_swarm++) @@ -10800,7 +10869,7 @@ void pso_updating(void) { if (probability_now[tmp_swarm][operator_num - 1] < 0.99 || probability_now[tmp_swarm][operator_num - 1] > 1.01) FATAL("ERROR probability"); } swarm_now = 0; - key_module = 0; + key_module = 0; } @@ -10820,7 +10889,7 @@ static u8 fuzz_one(char** argv) { pso_updating(); } - return key_val_lv; + return key_val_lv; } @@ -12236,10 +12305,10 @@ int main(int argc, char** argv) { else probability_now[tmp_swarm][i] = x_now[tmp_swarm][i]; } - if (probability_now[tmp_swarm][operator_num - 1] < 0.99 || probability_now[tmp_swarm][operator_num - 1] > 1.01) + if (probability_now[tmp_swarm][operator_num - 1] < 0.99 || probability_now[tmp_swarm][operator_num - 1] > 1.01) FATAL("ERROR probability"); } - + for (i = 0; i < operator_num; i++) { core_operator_finds_puppet[i] = 0; core_operator_finds_puppet_v2[i] = 0; @@ -12287,7 +12356,7 @@ int main(int argc, char** argv) { if (unicorn_mode) FATAL("-U and -n are mutually exclusive"); } - + if (index(argv[optind], '/') == NULL) WARNF(cLRD "Target binary called without a prefixed path, make sure you are fuzzing the right binary: " cRST "%s", argv[optind]); OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" Eissfeldt and Andrea Fioraldi"); @@ -12363,6 +12432,7 @@ int main(int argc, char** argv) { check_cpu_governor(); setup_post(); + setup_custom_mutator(); setup_shm(dumb_mode); if (!in_bitmap) memset(virgin_bits, 255, MAP_SIZE); @@ -12540,7 +12610,7 @@ stop_fuzzing: SAYF(cYEL "[!] " cRST "Time limit was reached\n"); if (most_execs_key == 2) SAYF(cYEL "[!] " cRST "Execution limit was reached\n"); - + /* Running for more than 30 minutes but still doing first cycle? */ if (queue_cycle == 1 && get_cur_time() - start_time > 30 * 60 * 1000) { |